一、作用
最大限度地减小系统中服务进程可访问的资源(最小权限原则)
二、context上下文
# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 公共
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 模板
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 视频
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 图片
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 文档
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 下载
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 音乐
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 桌面
u:user;r:规则;t:type类型。
# pstree -Z
systemd(`system_u:system_r:init_t:s0')
├─ModemManager(`system_u:system_r:modemmanager_t:s0')
│ └─2*[{ModemManager}(`system_u:system_r:modemmanager_t:s0')]
├─NetworkManager(`system_u:system_r:NetworkManager_t:s0')
│ └─2*[{NetworkManager}(`system_u:system_r:NetworkManager_t:s0')]
├─VGAuthService(`system_u:system_r:vmtools_t:s0')
├─abrt-dbus(`system_u:system_r:abrt_t:s0-s0:c0.c1023')
│ └─2*[{abrt-dbus}(`system_u:system_r:abrt_t:s0-s0:c0.c1023')]
字段 | 说明 | 含义 |
---|---|---|
u身份识别 | unconfined:不受限制的用户 | 防止本地以外的人的访问 |
system_u | 系统用户只有系统有权限 | |
r规则 | boject_r | 文件或者目录的资源 |
system_r | 系统资源,注意普通用户创建的也属于system_r | |
t类型 | 访问策略 |
三、配置文件
1、配置文件分析
# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected, # 目标进程收到保护
# minimum - Modification of targeted policy. Only selected processes are protected. # 修改有针对性的政策。只有选定的进程受到保护。
# mls - Multi Level Security protection. # 多层安全保护
SELINUXTYPE=targeted
2、工作模式
工作模式 | 说明 |
---|---|
enforcing | 强制模式。违反 SELinux 规则的行为将被阻止并记录到日志中。 |
permissive | 宽容模式。违反 SELinux 规则的行为只会记录到日志中。一般为调试用。 |
disabled | 关闭 SELinux。 |
3、SELinux 日志的记录
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since 六 2020-05-23 12:14:40 CST; 1 weeks 3 days ago
Docs: man:auditd(8)
https:# github.com/linux-audit/audit-documentation
Process: 682 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 669 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 673 (auditd)
Tasks: 5
CGroup: /system.slice/auditd.service
├─673 /sbin/auditd
├─675 /sbin/audispd
└─677 /usr/sbin/sedispatch
......
4、修改上下文
# ll -Z test.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test.html
# setenforce 0 # 关闭selinux
# chcon -t admin_host_t test.html # 更改安全标签
# ll -Z test.html
-rw-r--r--. root root unconfined_u:object_r:admin_host_t:s0 test.html
# setenforce 1 # 打开selinux
# restorecon test.html # 恢复其默认标签
# ll -Z test.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.html
或者使用setroubleshoot工具
# yum install setroubleshoot
# tailf /var/log/messages
Jun 2 22:40:42 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test.html
Jun 2 22:40:43 localhost setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/test.html. For complete SELinux messages run: sealert -l 1a3bed1b-1cae-4183-afd6-e2f662bc0bf9
......
# sealert -l 1a3bed1b-1cae-4183-afd6-e2f662bc0bf9 # 根据提供的方案解决问题
......
然后执行:
restorecon -v '/var/www/html/test.html'
......
评论区